Monday, April 21, 2014

Xmarks and the Heartbleed Bug

As many of you are aware, recently a major security flaw known as the Heartbleed bug was discovered in OpenSSL, a low-level cryptographic library used by Internet web servers for securing web traffic. The flaw affected a majority of websites, including Xmarks.

Our servers were patched shortly after learning of the vulnerability on the morning of 8 April, 2014. Also as of 16:00 EDT on that day, we deployed new SSL certificates.

Although we have no evidence that the flaw was exploited during the time the vulnerability was in place, it is possible that bookmarks, usernames, and hashed login passwords may have been exposed to attackers. Passwords synced with Xmarks password sync are stored and received in encrypted form with a PIN that is never sent to the Xmarks server. Security of these passwords will depend on the PIN used.

As a precaution, we are recommending that if you have not already changed your password, please do so now. Once logged in at Xmarks.com you can click "My Account" and select the "Change Password" option (https://login.xmarks.com/account/change_password).

If you use Xmarks password sync and a weak encryption PIN, please also consider changing the passwords stored in your browser vault.